Hello,I'm having some difficulty accessing the API. Following the directions shown here: Far away to be identical | | | Far away to be identical Identity management chaos or a development of a fun | |
| I am trying to use the following curl commands:curl -kv -H Referer:https://$IPASERVER1/ipa -c $COOKIEJAR -b $COOKIEJAR --negotiate -u : -X POST https://$IPASERVER1/ipa/ui I get the following output: Andrews-MacBook-Pro :) > curl -kv -H Referer:https://$IPASERVER1/ipa -c $COOKIEJAR -b $COOKIEJAR --negotiate -u : -X POST https://$IPASERVER1/ipa/ui* Trying 10.1.6.250...* TCP_NODELAY set* Connected to $IPASERVER1 (10.1.6.250) port 443 (#0)* ALPN, offering h2* ALPN, offering http/1.1* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH* successfully set certificate verify locations:* CAfile: /etc/ssl/cert.pem CApath: none* TLSv1.2 (OUT), TLS handshake, Client hello (1):* TLSv1.2 (IN), TLS handshake, Server hello (2):* TLSv1.2 (IN), TLS handshake, Certificate (11):* TLSv1.2 (IN), TLS handshake, Server key exchange (12):* TLSv1.2 (IN), TLS handshake, Server finished (14):* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):* TLSv1.2 (OUT), TLS change cipher, Client hello (1):* TLSv1.2 (OUT), TLS handshake, Finished (20):* TLSv1.2 (IN), TLS change cipher, Client hello (1):* TLSv1.2 (IN), TLS handshake, Finished (20):* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384* ALPN, server did not agree to a protocol* Server certificate:* subject: O=EXAMPLE.NET; CN=$IPASERVER1* start date: Mar 6 21:52:54 2018 GMT* expire date: Mar 6 21:52:54 2020 GMT* issuer: O=EXAMPLE.NET; CN=Certificate Authority* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.> POST /ipa/ui HTTP/1.1> Host: $IPASERVER1> User-Agent: curl/7.54.0> Accept: */*> Referer:https://$IPASERVER1/ipa>< HTTP/1.1 301 Moved Permanently< Date: Mon, 20 Aug 2018 19:50:50 GMT< Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5* Added cookie ipa_session="" for domain $IPASERVER1, path /ipa, expire 1534794650< Set-Cookie: ipa_session=;Max-Age=0;path=/ipa;httponly;secure;< X-Frame-Options: DENY< Content-Security-Policy: frame-ancestors 'none'< Location: https://$IPASERVER1/ipa/ui/< Cache-Control: max-age=31536000< Expires: Tue, 20 Aug 2019 19:50:50 GMT< Cache-Control: no-cache* Replaced cookie ipa_session="" for domain $IPASERVER1, path /ipa, expire 1534794650< Set-Cookie: ipa_session=;Max-Age=0;path=/ipa;httponly;secure;< Content-Length: 255< Content-Type: text/html; charset=iso-8859-1<<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://$IPASERVER1/ipa/ui/";>here</a>.</p></body></html>* Connection #0 to host $IPASERVER1 left intactAndrews-MacBook-Pro :) > Then I run this:Andrews-MacBook-Pro :) > curl -kv -H referer:https://$IPASERVER1/ipa -H "Content-Type:application/json" -H "Accept:applicaton/json" -c $COOKIEJAR -b $COOKIEJAR -d $JSON_PAYLOAD -X POST https://$IPASERVER1/ipa/session/json* Rebuilt URL to: POST/* Trying 104.16.143.73...* TCP_NODELAY set* Connected to POST (104.16.143.73) port 80 (#0)> POST / HTTP/1.1> Host: POST> User-Agent: curl/7.54.0> referer:https://$IPASERVER1/ipa> Content-Type:application/json> Accept:applicaton/json> Content-Length: 2>* upload completely sent off: 2 out of 2 bytes< HTTP/1.1 403 Forbidden< Date: Mon, 20 Aug 2018 19:53:36 GMT< Content-Type: text/html; charset=UTF-8< Transfer-Encoding: chunked< Connection: close* skipped cookie with bad tailmatch domain: post< Set-Cookie: __cfduid=d805f1a1676001cf1532cc7c25208107f1534794816; expires=Tue, 20-Aug-19 19:53:36 GMT; path=/; domain=.post; HttpOnly< Cache-Control: max-age=15< Expires: Mon, 20 Aug 2018 19:53:51 GMT< X-Frame-Options: SAMEORIGIN< Server: cloudflare-nginx< CF-RAY: 44d76832d2d654e6-ORD<<!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Direct IP access not allowed | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" /><!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]--><style type="text/css">body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--><script type="text/javascript" src="/cdn-cgi/scripts/zepto.min.js"></script><!--<![endif]--><!--[if gte IE 10]><!--><script type="text/javascript" src="/cdn-cgi/scripts/cf.common.js"></script><!--<![endif]--> </head><body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-wrapper cf-header cf-error-overview"> <h1> <span class="cf-error-type" data-translate="error">Error</span> <span class="cf-error-code">1003</span> <small class="heading-ray-id">Ray ID: 44d76832d2d654e6 • 2018-08-20 19:53:36 UTC</small> </h1> <h2 class="cf-subheadline">Direct IP access not allowed</h2> </div><!-- /.header --> <section></section><!-- spacer --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="what_happened">What happened?</h2> <p>You've requested an IP address that is part of the <a data-orig-proto="https" data-orig-ref="www.cloudflare.com/5xx-error-landing?utm_source=error_100x" target="_blank">Cloudflare</a> network. A valid Host header must be supplied to reach the desired website.</p> </div> <div class="cf-column"> <h2 data-translate="what_can_i_do">What can I do?</h2> <p>If you are interested in learning more about Cloudflare, please <a data-orig-proto="https" data-orig-ref="www.cloudflare.com/5xx-error-landing?utm_source=error_100x" target="_blank">visit our website</a>.</p> </div> </div> </div><!-- /.section --> <div class="cf-error-footer cf-wrapper"> <p> <span class="cf-footer-item">Cloudflare Ray ID: <strong>44d76832d2d654e6</strong></span> <span class="cf-footer-separator">•</span> <span class="cf-footer-item"><span>Your IP</span>: 209.116.32.50</span> <span class="cf-footer-separator">•</span> <span class="cf-footer-item"><span>Performance & security by</span> <a href="https://www.cloudflare.com/5xx-error-landing?utm_source=error_footer"; id="brand_link" target="_blank">Cloudflare</a></span> </p></div><!-- /.error-footer --> </div><!-- /#cf-error-details --> </div><!-- /#cf-wrapper --> <script type="text/javascript"> window._cf_translation = {}; </script> </body></html>* Closing connection 0* Trying 10.1.6.250...* TCP_NODELAY set* Connected to $IPASERVER1 (10.1.6.250) port 443 (#1)* ALPN, offering h2* ALPN, offering http/1.1* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH* successfully set certificate verify locations:* CAfile: /etc/ssl/cert.pem CApath: none* TLSv1.2 (OUT), TLS handshake, Client hello (1):* TLSv1.2 (IN), TLS handshake, Server hello (2):* TLSv1.2 (IN), TLS handshake, Certificate (11):* TLSv1.2 (IN), TLS handshake, Server key exchange (12):* TLSv1.2 (IN), TLS handshake, Server finished (14):* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):* TLSv1.2 (OUT), TLS change cipher, Client hello (1):* TLSv1.2 (OUT), TLS handshake, Finished (20):* TLSv1.2 (IN), TLS change cipher, Client hello (1):* TLSv1.2 (IN), TLS handshake, Finished (20):* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384* ALPN, server did not agree to a protocol* Server certificate:* subject: O=EXAMPLE.NET; CN=$IPASERVER* start date: Mar 6 21:52:54 2018 GMT* expire date: Mar 6 21:52:54 2020 GMT* issuer: O=EXAMPLE.NET; CN=Certificate Authority* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.> POST /ipa/session/json HTTP/1.1> Host: $IPASERVER1> User-Agent: curl/7.54.0> referer:https://$IPASERVER1/ipa> Content-Type:application/json> Accept:applicaton/json> Content-Length: 2>* upload completely sent off: 2 out of 2 bytes< HTTP/1.1 401 Unauthorized< Date: Mon, 20 Aug 2018 19:53:36 GMT< Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5< WWW-Authenticate: Negotiate* Added cookie ipa_session="" for domain $IPASERVER1, path /ipa, expire 1534794816< Set-Cookie: ipa_session=;Max-Age=0;path=/ipa;httponly;secure;< X-Frame-Options: DENY< Content-Security-Policy: frame-ancestors 'none'< Last-Modified: Thu, 30 Nov 2017 20:03:14 GMT< Accept-Ranges: bytes< Content-Length: 1474< Cache-Control: no-cache< Content-Type: text/html; charset=UTF-8<<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Identity Management</title> <script type="text/javascript" src="../ui/js/libs/loader.js"></script> <script type="text/javascript"> (function() { var styles = [ '../ui/css/patternfly.css', '../ui/css/ipa.css' ]; ipa_loader.styles(styles); })(); </script></head> <body class="info-page"> <nav class="navbar navbar-default navbar-pf" role="navigation"> <div class="navbar-header"> <a class="brand" href="../ui/index.html"><img src="../ui/images/header-logo.png" alt="Identity Management"></a> </div> </nav> <div class="container-fluid"> <div class="row"> <div class="col-sm-12"> <h1>Unable to verify your Kerberos credentials</h1> <p> Please make sure that you have valid Kerberos tickets (obtainable via <strong>kinit</strong>), and that you have configured your browser correctly. </p> <h2>Browser configuration</h2> <div id="first-time"> <p> If this is your first time, please <strong>configure your browser</strong>. Use <a href="browserconfig.html">Firefox configuration page</a> for Firefox or <a href="ssbrowser.html">manual configuration page</a> for other browsers. </p> </div> </div> </div> </div> </body> </html>* Connection #1 to host $IPASERVER1 left intact I was able to export/extract my kerberos key for this user. I found something on stackexchange or another website like it that said I could use the variables KRB5_CLIENT_KTNAME & KRB5CCNAME. Which I have defined and I think curl should pick up on those. However its still not authenticating me. Is there something else I need to be doing? Maybe something I did wrong? Regards,Andrew Meyer
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HMSRMRHPBHOFTAV6E4DOAG46VALLJFP3/
